Just You Wait, by Chris Shiflett
Photo Location
Indian Peaks, CO<br>40.1279° N<br>105.6365° W
“I haven’t told why I wrote the book, but I haven’t told why I sneeze, either. A book is a sneeze.” · E. B. WHITE
I turn 50 today.
I feel incredibly lucky to have experienced these particular 50 years.
I was born in 1976 — when Steve Jobs and Steve Wozniak founded Apple, the year after Bill Gates dropped out of Harvard to start Microsoft. But I grew up largely without technology. To me, technology came in waves, and it was always exciting and new.
I remember the Atari 2600, and later the Nintendo. The Commodore 64. The acoustic coupler in War Games. My first PC. The turbo button that made it fast (50 MHz). The sound of dial-up. I remember BBSes and MUDs. Archie, Gopher, Veronica, and the World Wide Web. I was there for all of it.
1994 was a big year for me. I graduated high school in the spring, and started college in the fall. Swamp Ophelia came out that year, and I’ve been an Indigo Girls fan ever since. (I just saw them on Tuesday.) It was a huge year for technology, too. Linux 1.0 was released, the World Wide Web went mainstream, and the W3C was founded. Netscape was released. Amazon was founded. Yahoo! came online. Rasmus created PHP. Even the QR code was invented in 1994.
I loved technology. I ended up switching my major to computer science, because it had the word computer in the name. I learned everything I could and exhausted the curriculum. The department chair told me I should learn HTML, because my C programs could output HTML, and that was the way to build the UIs of the future. I just had to print a couple of extra lines (HTTP headers, but I didn’t know that yet), and voila! I was a web developer. Perl made some things easier, and PHP made them easier still.
When I graduated, I got a job at the USPS in Memphis, and within a couple of years, I was leading one of the most important teams in the organization.
It didn’t start that way. Academia had given me a lot, but the job demanded more. I stopped by Borders every night on my way home to read books and decide which one I was going to buy. A lot of the good ones had animals on the front. (I would later write one of those.) My second bedroom had a dozen servers and half a dozen workstations, most of which were bought on eBay, some of which I built myself. I ran every OS imaginable — multiple flavors of Linux, BeOS, and even Windows. I was building with ColdFusion and Solaris during the day, PHP and Linux at night. I learned all about networking and routing tables. I built my own device drivers. I built Quake to run in ASCII, because Quake was open source. I wrote shell scripts (and had an especially fun time with Expect) and made web apps. I built APIs.
For a few years, I was learning faster than at any other time in my life. I don’t know exactly when it happened, but I went from feeling like I was in over my head to feeling incredibly competent.
I could do anything.
My team built a solution for providing every US citizen with a personal digital certificate. We also built a universal registration system for all USPS services. It was called eServices Registration. I was in a lot of meetings about it, including one with Microsoft, who wanted us to integrate Microsoft Passport. I asked some questions in that meeting, particularly regarding their use of cookies and a recent cookie vulnerability in Internet Explorer. I left that meeting having disclosed a security vulnerability to Microsoft that I discovered just by talking to them, and it led to my first article, published in 2600 Magazine.
This began a deep interest in HTTP and security. You couldn’t view source to see HTTP in the same way you could see HTML, so I made a proxy called Protoscope that would add HTTP request and response details to the HTML. This was years before Firebug. Protoscope taught me HTTP, and I knew it better than any spec, because I got to see how things were actually working. (For many years, the best reference for cookies was a spec published by Netscape, not the RFC.) I ended up writing one of the first books on HTTP.
We lived in Manhattan when we first moved to NYC, above the famous B&H Photo on 34th Street. I worked on 14th Street building eDonkey, which became the world’s largest P2P network. I handled everything server-side and called myself a webmaster. Being the largest P2P network in the world during the height of file sharing meant we were in the news almost daily. I bought server hardware (including two Cisco LocalDirectors) on eBay and learned a lot about networking security and scalability. It was estimated at one point that eDonkey traffic accounted for 40% of all internet traffic worldwide.
My RSS feed dates back to 2003, which is when I started calling my website a blog. I wrote about CSRF that year, and my now-canonical article was published in 2004. I didn’t fully appreciate my luck at the time, but my curiosity had led me to security during the most...